Protocol Handler JS Check - Review the use of custom protocol handlers
Electron allows defining custom protocol handlers so that the application can use deep linking to exercise specific features. Since external protocol handlers can be triggered by arbitrary origins, it is important to evaluate how they are implemented and whether user-supplied parameters can lead to security vulnerabilities (e.g., injection flaws).
Risk
The use of custom protocol handlers opens the application to vulnerabilities triggered by users clicking on, or abitrary origins forcing navigation to, malicious links.
Auditing
To register a custom protocol handler, it is necessary to use one of the following functions:
- setAsDefaultProtocolClient
- registerStandardSchemes
- registerServiceWorkerSchemes
- registerFileProtocol
- registerHttpProtocol
- registerStringProtocol
- registerBufferProtocol
- registerStreamProtocol
Our check searches for those occurrences. You should manually review the implementation of each of them.